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(54) Virtual network architecture 



(57) A network infrastructure comprises a nunnber 
of connective devices (routers (2), repeaters (C1,C4), 
bridges (C3), etc.) to form a communication network for 
a plurality of end nodes (Nl...Nv). Message packets 
originating with an end node are assigned an Input vir- 
tual network and workgroup identification at the port 
(P1..Pv) at which the packet enters the network. This 
assigned input virtual network and workgroup identifica- 
tion is compared, at each port (P1..Pv) from which the 



packet can exit the network infrastructure, with output 
virtual network and workgroup identification assigned 
the particular port. If the input virtual network information 
does not match the output virtual network information, 
the packet is prohibited from exiting that port. Even if 
there is a match between the input and output virtual 
network information, there must also be a match be- 
tween at least one bit of the input workgroup identifica- 
tion and the output workgroup identification before the 
packet can exit the port. 
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Description 

The present invention relates generally to networks 
of the type that connect two or more data processing 
elements to one another for data communication. More 
particularly, the invention relates to a method and appa- 
ratus for dividing a physical network into a number of 
separate, "virtual" networks and work groups. Commu- 
nication is then allowed only between elements that are 
members of the same virtual network and workgroup. 

The recent growth of the personal computer market 
has been accompanied by the desire to interconnect 
numbers of personal computers for resource sharing, 
distributed processing, and like data processing func- 
tions. Such interconnectivity is often accomplished us- 
ing local area network (LAN) or wide area network 
(WAN) topologies. A LAN topology typically intercon- 
nects data processing equipment in a limited geograph- 
ic area by such physical media as twisted pair wiring or 
coaxial cable and various connective devices such as 
repeaters, routers, and bridges. Infomnation is commu- 
nicated by message packets. 

Repeaters operate to repeat information from one 
transmitting medium to all others to which the repeater 
connects; that is, a repeater connects segments of the 
same network to form an extended network, and mes- 
sage packets received by the repeater are repealed to 
all connected segments. Bridges, on the other hand, 
connect separate LANs. Bridges typically operate to 
pass message packets on one LAN to another LAN if 
the destination of that message packet is not located on 
the source LAN, examining the message packet to de- 
termine onto which network the message packet should 
be forwarded. 

Routers also connect separate LANs. They are ca- 
pable of communicating with end nodes and other rout- 
ers. Message packets are forwarded based upon the 
destination address contained in the message packets 
and internal routing tables in the routers. 

Since bridges and routers are capable of selective 
communication of message traffic, they do perform 
some message security functions. One limitation of this 
is that end nodes (the data processing elements inter- 
connected by the network) on the same local area net- 
work (LAN) have access to all message packets sent to 
any one of them. 

Recent advances in the industry have provided re- 
peaters with the ability to perform security functions in 
order to preclude connected end nodes from receiving 
message packets. Examples of such message security 
is found in U.S. Pat. Nos. 5,177,778; 5,161,192; and 
4,901,348. A message packet received by a repeater 
will be examined for source and/or destination Informa- 
tion contained in the message packet. Based upon that 
examination, a determination is made as to which ports 
of the device will be allowed to ro-send the message 
packet, and which will be precluded from re-sending. 

According to the present invention there is provided 



a connective device for incorporation into a data com- 
munications network consisting of a plurality of such de- 
vices, comprising a plurality of message data receiving/ 
transmitting ports for communicating with one or more 

5 of a plurality of data communicating devices; first circuit 
means associated with each of said ports lor assigning 
identifiying data associated with each port to incoming 
message data received from one or more said data com- 
municating devices and forwarding said identifying data 

10 with said message data; and second circuit means at 
each of said ports for storing qualifying data associated 
therewith, said second circuit means comparing Identi- 
fying data associated with outgoing message data with 
stored qualifying data and transmitting the outgoing 

is message data unaltered only if a match is found be- 
tween said identifying data and said stored qualifying 
data. 

The invention is preferably employed in a network 
infrastructure of a type including a number of connective 

20 devices (e.g., repeaters, routers, and bridges) intercon- 
nected to provide data communication between data 
processing elements. Specifically, the invention pro- 
vides a method, and apparatus for implementing that 
method, for controlling message traffic and bandwidth 

25 within a network based upon the entry and exit points of 
the network infrastructure used by the message traffic. 
The invention operates to prevent unauthorized com- 
munication, limiting transmission of message traffic 
from the network infrastructure to only those exit points 

30 authorized-based upon the point of entry to the network 
infrastructure of the message traffic. 

Broadly, the invention allows the physical configu- 
ration of a network infrastructure to be sub-divided into 
a number of "virtual" networks. Entry/exit points to the 

35 network infrastructure for end nodes (i.e., data process- 
ing equipment such as workstations, peripherals, and 
shared resources) are assigned to one or another of the 
virtual networks, thereby assigning the connected end 
nodes to the corresponding virtual networks. Further, 

40 according to the invention, each virtual network may be 
divided into workgroups, and the entry/exit points (and, 
therefore, the connected end nodes) assigned to one or 
more such workgroups. Communication between the 
end nodes is limited to those assigned to specific virtual 

"^5 networks and workgroups. 

In a preferred embodiment of the invention the net- 
work infrastructure employs a number of connective de- 
vices (routers, repeaters, bridges, and the like) that are 
interconnected to one another They connect to end 

so nodes by physical transmission media such as twisted 
pair wiring or coaxial cable. The network infrastructure 
provides data communication for message traffic in the 
form of message packets between end nodes that con- 
nect to ports (entry/exit points) of the infrastructure by 

55 physical media. According to the invention, each port 
providing entry/exit access to/from the network infras- 
truture is provided with virtual network identification 
(VNTD) information. Entry points to the network infra- 
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structure are assigned an input virtual network identifi- 
cation (l-VNID), and all message packets inconning 
through a port of the network Infrastructure (i.e., at a par- 
ticular connective device) from an end node will have 
the l-VNID information assigned to that port associated 
with the packet. This association is maintained as long 
as the packet remains in the network infrastructure. 

Similarly, exit points from the network infrastruture 
are assigned an outgoing virtual network identification. 
(O-VNID). A port may have an assigned l-VNID that is 
the same as its assigned O-VNID, or the assigned I- 
VNID and O-VNID for the port may be different. 

When a message packet has entered the network 
infrastructure, and in so doing been assigned l-VNID in- 
formation, that l-VNID information is checked at all ports 
of the network infrastructure at which the packet seeks 
departure by comparing the message packet's I-VNID 
information with the O-VNID information of the depar- 
ture port. If the l-VNID information of the packet matches 
the O-VNID of the port, the packet will be transmitted 
from the port. Conversely, if there is no such match, the 
packet will not be transmitted. 

In the preferred embodiment of the invention the 
VNID information includes two separate fields: one to 
identify the particular virtual network to which a port is 
assigned, and the second to identify one or more "work- 
group" divisions of which the port is a member Gener- 
ally then, message packets are allowed to exit only 
those ports having O-VNID information that identifies a 
virtual network and workgroup assignment that marches 
that allocated the message packet by the port of its en- 
try. (As wiil be seen, the virtual network assignments 
must match exactly, but only one of the number of pos- 
sible workgroup assignments need match for exit from 
a port.) On the other hand, the port will not send the 
message packet if the l-VNID information associated 
with the message packet does not match the O-VNID of 
the port from which the packet seeks to exit. 

In the case of exit ports in a repeater, if the exit port 
is of a virtual network different from that identified in the 
l-VNID information of the message packet, or if there is 
no workgroup match, the message will exit the port with 
the data of the message replaced with a meaningless 
bit pattern. 

There are a number of advantages achieved by the 
present invention. By dividing a physical network infra- 
structure in the manner proposed by the invention, mes- 
sage packets can be allocated to limited numbers of 
ports and end nodes rather than allowing the message 
packets to propagate through the entire system. In one 
embodiment of the invention, the capability of being able 
to preclude retransmission of a message from a port exit 
that is not a member of virtual network/workgroup asso- 
ciated with the packet provides a way to manage band- 
width on a media segment. End nodes of a particular 
media segment will see only those message packets 
originating with the other end nodes (if any) connected 
to that media segment and such other message packets 



from the network Infrastructure having a l-VLAN/work- 
group that matches the O-VNI D/workgroup of the media 
segment's port. 

Another advantage is the security provided by the 

5 invention. Only those end nodes connected to ports of 
the network infrastructure that have matching l-VNID/ 
OVNID/workgroup assignments will see information 
contained in the packets; all other end nodes will either 
see nothing, or a message with the data content oblit- 

10 e rated. 

Still another advantage of the present inventions is 
its ability to allow multiple bridges connected in parallel 
between two networks to load share. In this use of the 
invention, consider two 2-port bridges that each connect 
15 between the same two groups of stations. One bridge 
and some of the stations would be assigned to a first 
virtual network. The remainder of the stations and the 
second bridge would be assigned to a second virtual 
network. The bridges will then only see and possibly for- 
20 ward message packets associated with the pattictilar 
virtual network to which they are assigned. 

The invention also provides a method of operating 
a data communications network comprising a plurality 
of connective devices, each having a plurality of mes- 
25 sage data receiving/transmitting ports for communicat- 
ing with one or more of a plurality of data communicating 
devices, said method comprising the steps of assigning 
to incoming message data at a receiving port identifying 
data associated with the receiving port, forwarding said 
30 nnessage data to a transmitting port of the same or an- 
other connective device along with said identifying data, 
and transmitting said outgoing message data unaltered 
only if the idenfifying data associated with said outgoing 
message data matches qualifying data stored at the 
35 transmitting port. 

These and other advantages and features of the in- 
vention will become apparent upon a reading of the fol- 
lowing detailed description, which should be taken in 
conjunction with the accompanying drawings in order to 
40 obtain a full appreciation of the invention and its use. 

Fig. 1 is a diagrammatic representation of a network 
infrastructure incorporating the present invention; 
Fig. 2 Is an illustration of the format used for the IV- 
45 NID and O-VNID information that is assigned to 
each port of the network infrastructure of Fig. 1 ; 
Fig. 3 is a general block diagram of a generic con- 
nective device used in the network infrastructure of 
Fig. 1 and incorporating the present invention; and 
so Fig. 4 is a block diagram illustrating the construction 
of the VNID logic associated with each port of the 
connective device of Fig. 3. 

Referring now to the figures, and for the moment 
55 specifically Fig. 1 , broadly represented is a network in- 
frastructure designated with the reference numeral 10, 
The network infrastructure 10 typically will include any 
reasonable number of network connective devices C 
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three types of which are illustrated here: repeaters CI 
and C4, a router C2, and bridge C3, although, as will be 
apparent, other connective devices may be included in 
the network infrastructure. 

As Fig. 1 shows, the connective devices C (C,, Cg, 5 
C3, and C4) are joined in a network topology that em- 
ploys a backbone bus 20 to which the connective devic- 
es are attached. (In a preferred enabodiment of the in- 
vention the backbone bus 20 is fornned by a printed cir- 
cuit backplane (not shown) to which printed circuit 
boards (not shown) carrying the connective devices C 
connect in conventional fashion such as through nnulti- 
pin connectors.) It will be evident to those skilled in the 
art, upon further reading of the following disclosure, that 
the particular topology employed is not important to the 
present invention. Star, distributed and other network 
topologies may incorporate the invention. 

The connective devices C serve as entry and exit 
points to the network infrastructure 10 for nodes N (N^, 
N2,...Nv) which connect to the network infrastructure by 
media segments S (S^. S2,..., through communica- 
tion port P (P-,, P2,...Pv). Fig. 1 also illustrates an end 
node connected to the connective device C2, as be- 
ing assigned network management functions for man- 
aging the network infrastructure 10 in conventional fash- 
ion which, according to the present invention, will in- 
clude assigning the l-VNID and O-VNID information to 
the ports P. Communication between the network man- 
ager node and the connective devices C is by a man- 
agement bus 24. The structure and function of the man- 
agement bus 24 is conventional. 

It is at each of these entry/exit points that assign- 
ment to a particular virtual network workgroup member- 
ship occurs. According to the present invention, each 
media segment S (and therewith the end nodes N that 
are connected to the network infrastructure 10 by the 
media segment S) is separately assignable to a virtual 
network and workgroup(s). 

Before continuing, it will be appreciated by those 
skilled in this art that although only single end nodes N 
are shown in Fig. 1 , that does not indicate that each is 
a single element (e.g., a work station in the form of a 
personal computing device, or a printer, or file server). 
Rather, each end node N may be a single processing 
element or a number of processing elements connected 
to a media segment S. If there is more than one process- 
ing element using a media segment S, all those process- 
ing olemGnts will be, in effect, assigned membership to 
the same VLAN and workgroup(s) by the port P to which 
the particular elements represented by an end node N 
connect. 

The connective devices perform their usual function 
except as modified by the incorporation of the vitual net- 
work concepts of the present invention. Thus, the con- 
nective device C^ performs repeater functions in which 
message traffic received from any of the connected end 
nodes (N^, N2,..., Nj) will be repeated to the backbone 
bus 20 as well as to those other ports of the repeater 



whose O-VNlD matches the l-VNlD associated with the 
message. Transmission to the backbone bus 20 prefer- 
ably is unrestricted. The repeater will also pick up mes- 
sage traffic sent by other devices C onto the backbone 
bus. The connective device C3 functions as a bridge to 
communicate message traffic from one of media seg- 
ments Sp, . . . , and/or the backplane bus to other media 
segment(s) and/or the backbone bus with the added re- 
quirement of a match at its exit ports between the l-VNI D 
and O-VNID information. Similarly, the router C2 will 
transmit such traffic as would a normal router, with the 
added requirement of a match between the IVNID and 
O-VNID information at its exit ports Pj P^. 

The network infrastructure 1 0 is structured to imple- 
ment the Ethernet protocol according to IEEE B02.3 
standard which uses a carrier sense multiple access 
with collision detection (CSMA/CD) access method in 
which data is sent in message packets. However, it will 
soon be evident to those skilled in this art, if not already, 
that other network protocols and implementations (e.g., 
asynchronous transfer mode, token ring, FDDI) can be 
used to employ the invention. To implement the IEEE 
802.3 protocol, this implementation uses the following 
signals carried by the backbone bus 20: (1) a carrier 
sense signal to indicate when a message packet is in 
process, (2) a collision detection signal line to identify 
that two or more end nodes are attempting to send at 
the same time, and, of course, (3) a data signal. The 
three signals are communicated by The connective de- 
vices C, and carried by the backbone bus 20, in conven- 
tional fashion. But, according to the present invention, 
an additional signal is carried by the backbone bus 20 
to communicate the l-VNlD information associated with 
a message packet. It will be appreciated, however, that 
the VNID information need not be carried on a separate 
signal line. For example, the carrier sense signal could 
be alternated with the l-VNID information, and later the 
two signals could be extracted when they are received 
off the backbone bus. In the context of this implementa- 
tion however, for reasons not pertinent to the invention, 
the l-VNID information of a packet travels with, but sep- 
arate from, the message packet while on the backbone 
bus 20. As will be seen, each port P from which the mes- 
sage packet can exit the network infrastructure 10 will 
check the associated l-VNID of the packet to determine, 
in a manner discussed below, if the message packet is 
authorized to be transmitted from that port. 

Fig. 2 illustrates the organization of the structure of 
VNID reformation which may be either l-VNID or O- 
VNID information, depending upon whether it is infor- 
mation at an entry or an exit of a port P, respectively. As 
Fig. 2 shows, the VNID information, designated with the 
reference numeral 30, has two separate data fields: a 
24-bit workgroup field 32 and a five-bit virtual network 
(VN) 34. 

The VN field 34 will identify one of up to 32 virtual 
networks, allowing the network infrastructure 10 to be 
divided into 32 virtual networks. If more are needed, the 
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VN Geld 34 can be expanded - although timing linnita- 
tions (e.g., the time for a repeater to re-transmit a re- 
ceived message packet) may restrict the expansion. A 
message packet that is assigned to a virtual network can 
exit only those ports assigned to the same virtual net- 
work. 

The port P on which a message packet has entered 
will also have membership in zero or more workgroups 
within the assigned virtual network. Workgroup mem- 
bership is identified setting one or another bit portion of 
the workgoup field 32 to a particular state (e.g., a logic 
ONE). Each bit position of the workgroup field 32 signi- 
fies, when set, membership in the workgroup represent- 
ed by that bit position. Conversely, a bit position set to 
the opposite state identifies non-membership, 

Each port P of the network infrastructure 10 is as- 
signed both an input VNID (i.e. I-VNID) and an output 
VNID (0-VNID), both structured as shown in Fig. 2. Eve- 
ry message packet entering the network infrastructure 
10 will have associated with it the I-VNID assigned to 
the port P at which the message packet entered. This 
associated I-VNID will be compared to each port P at 
which the message packet seeks exit, and will be al- 
lowed to exit the port P only if the VN data fields 34 of 
both match and if at least one bit of the workgroup field 
of both is set to a state that indicates membership in the 
corresponding workgroup. 

As an example, assume that devices connected to 
the access ports P^ and Pg of connective device C^, port 
Pj of connective device Cg, and port P^ of connective 
device C3 are assigned to a virtual network VN 1 . There- 
by, message traffic originating with any of the end nodes 
N^, Ng, Nj, and N^ will be associated with virtual network 
VN1 . Assume further that the devices connected to ac- 
cess ports P^, and Pp, are assigned to a virtual network 
VN2. Within the virtual network VN1 there may be one 
or more workgroups to which the end nodes N^, N2, Nj 
Np are assigned. Also assume that for each of those 
ports, the O-VNID assignment wilt be identical to the 1- 
VNID assignment. (Wore they different, an end node 
could send messages to one group, and receive mes- 
sage only from another virtual group.) 

Now. message traffic from end node Ng (a member 
of virtual network VN1 ) will enter the network infrastruc- 
ture at the associated access port P2, to be re-transmit- 
ted from only those exit ports P belonging to the same 
virtual network (VN1 ) and having membership in at least 
one of the same workgroups in which Pg holds member- 
ship. Message traffic from end node Ng will be blocked 
at the exits provided by those pons of the network infra- 
structure not assigned to virtual network VN1, such as 
those assigned to VN2, as well as by those access ports 
assisted to virtual network VN 1 , but not having member- 
ship in any workgroup in which access port Pg holds 
membership. 

Access ports P may be assigned to multiple work- 
groups. For example, the access port PI may have a 
-VNID that assigned incoming message traffic to engi- 



neering, purchasing, and MIS workgroups so that Mes- 
sage traffic originating with the end nodes sharing the 
media segment S, that connects to entering access port 
Pi will be re-transmitted from those access ports (of vir- 
5 tuai network VN1) holding membership in at least one 
of those workgroups. 

Turning now to Fig. 3, a representative connective 
device, designated as Cj is illustrated. The connective 
device Cj is meant to represent any of the connective 
devices C-,,...; C4of Fig. 1. Fig. 3 shows the connective 
device C•^ as including transfer logic 40 individually con- 
nected to each of a plurality of port logic modules 42 by 
signal lines 48. Transfer logic 40 is also connected, by 
signal lines 46, to driver/receiver circuits 44 that^ in turn, 
connect the device Cj to the backbone bus 20. 

The transfer logic 40, and the port logic modules 42, 
are connected to a microprocessor 47 which communi- 
cates with the transfer logic 40 and port logic modules 
42 by an address/data (Addr/Data) bus 49. The micro- 
processor 47 connects to the management bus 24 
through a management bus interface 51. Information 
configuring the connective device is sent by the network 
manage node N^ (Fig. 1) to the microcessor 47. The 
microprocessor, then, operates to write any necessary 
registers (not shown) of the transfer logic 40 to direct its 
operation, or to write VN and workgroup registers (Fig. 
4) contained in the port logic modules 42 with VNID (i. 
e., 1-VNID or O-VNID) information. 

The particular construction of the transfer logic 40 
depends upon the type of connective device. If, for ex- 
ample, the connective device Cj is a repeater, then the 
transfer logic 40 would take on the form of conventional 
repeater logic so that the connective device Cj performs 
conventional repeater functions, receiving the signals of 
message traffic, regenerating and reclocking those sig- 
nals for re-transmission. Alternatively, it the connective 
device Cj takes the form of a multi-port bridge to connect 
networks, the transfer logic will perform the conventional 
bridging functions. Similarly, if the connective device Ci 
is a router, the transfer logic is structured to perform con- 
ventional routing functions. Whatever the form the con- 
nective device Ci takes is immaterial to the implemen- 
tation of the present invention, as will be seen. 

Continuing with Fig. 3, the port logic modules 42 are 
strucrured to communicate with the end nodes connect- 
ed to the ports by the media segments S (e.g., twisted- 
wire pairs, coaxial cable). Each port logic module 42 in- 
corporates virtual network logic that is responsible for 
assigning the I-VNID and information to the incoming 
message packets. The port logic modules 42 also in- 
clude the logic and circuitry for maintaining the O-VNlD 
information assigned the port, arid comparing the O- 
VNID information to the l-VNlD associated with mes- 
sage traffic sent to the port. The port transmits the mes- 
sage traffic onto the media segment S using driver/re- 
ceiver circuits appropriate to the media used. The com- 
parison performed will conclude in one of three actions, 
depending upon the configuration used: First, the mes- 
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sage packet will be restransmitted from the port without 
modification if the l-VNID associated with the message 
packet matches 0-VNID of the port. If the l-VNID infor- 
mation does not match th e O- VNI D assigned to the port, 
in one embodiment of the invention, the message pack- 
el will be discarded; in another embodiment of the in- 
vention the information content (data) of the message 
packet will be replaced with either a meaningless quan- 
tity (e.g., an alternating sequence of ones and zeros), 
or an encrypted version. of the information content. For 
this latter embodiment the teachings of U.S. Patent No. 
5,177,778 may be used insofar as replacement of por- 
tions of a packet with less intelligible information is con- 
sidered. 

Message packet transfers between connective de- 
vices includes transfers of associated l-VNID informa- 
tion. As Fig. 3 illustrates, the backbone bus 20 is divided 
into two separate sub-busses 20a and 20b. The sub- 
bus 20a is structured to carry the message packet and 
associated signaling necessary tor the IEEE 802.3 pro- 
tocol, while the sub-bus 20b carries ("out-of-hand") the 
l-VNID information associated with the message packet 
being transmitted on the sub-bus 20a. 

Fig. 4 shows the port logic module 42 in greater de- 
tail. The port logic module 42 Includes two pairs of reg- 
isters: 60 - 62, and 64-66. Registers 60 and 62 respec- 
tively hold the l-VNID and workgroup information as- 
signed to incoming message from the media segment 
S. Register 60 contains the five bits ot VN infomiation, 
while register 62 contains the 24 bit workgroup data. 

The content of registers 60, 62 are applied to the 
multiplexer 70. Under management of control logic 72, 
selection is made by the multiplexer 70 between the reg- 
isters 60, 62, or a "quiescent state," creating the l-VNID 
information that is passed with each message received 
from the media segment S, to the transfer logic 40 (Fig. 
3). 

Digressing for the moment, not specifically shown 
are optional network agent(s) that may operate in con- 
ventional fashion as an intermediary between the net- 
works network manager (i.e., end node, (N^) and the 
management bus. Typically, one or more connective de- 
vices are mounted on a chassis, and that chassis may 
include the network agent(s) (not shown). The agent(s) 
may also connect to the backbone bus 20 for receiving 
and translating administrative commands issued by the 
network manager end node N^^ via another device C, 
The translation of those commands is communicated to 
the object of the command - the connective device af- 
fected by the command - via management bus 24. Thus, 
for example, a network administrator may wish to assign 
(or reassign) port P2 of the connective device (repeater) 
Ci (Fig. 1 ) a new l-VNID or O-VNfD (or both). The net- 
work manager end node N^^ issues a command that is 
communicated to the agent(s) (not shown) in the chas- 
sis containing the connective device C^. The agent(s), 
in turn Mill translate the command, and communicate It 
to the network device (specifically, to the microproc- 



essor 47 of the connective device C^) to carry out the 
command, I.e., to cause the registers 60,..., 66 of port 
P2 to be loaded with whatever the command specifies. 
The microprocessor 47 of the connective device in 
5 question will communicate the l-VNiD and/or O-VNID 
information to the appropriate port logic module 42. 

Returning again to Fig. 4, the port logic module 42 
is shown as also Including a multiplexer (MUX) 74 
whose output Is applied to one Input of compare logic 
10 76. The MUX 74, under control and supen/lslon of the 
control logic 72, selects between the content of registers 
64, 66, and a QUIESCENT STATE for application to the 
compare logic 76. The second Input of compare logic 
receives, from the transfer logic 40, the l-VNID assocl- 
?5 ated with any message packet forwarded to the port log- 
ic module. The output of the compare logic 76 is applied 
to control logic 72 which operates to control multiplexer 
80. Multiplexer 80 is discussed below. 

The signals communicated by the signal lines 48 
between the transfer logic 40 and the port logic module 
42 include those shown in Fig. 4. The I -VNI D information 
contained In registers 60, 62 and associated to Incoming 
(from media segment S) message packets Is conveyed 
to the transfer logic 40 via signal line 48a. The BRTS 
signal is carried by signal line 4eb, and is used by the 
transfer logic 40 to inform the logic modules 42 of an 
active outgoing message packet towards the media 
segments. Similarly, the signal line 48c carries the I- 
VNID information associated with the message packet 
being forwarded to the port logic module for transmis- 
sion on the media segment S. The associated message 
packet is carried to the port logic module by the signal 
line 48d. Incoming message packets from the media 
segment S are carried from the media segment S to the 
transfer logic 40 by signal lines 48e. The incoming mes- 
sage packet Is also applied to a carrier sense generator 
84 which generates the carrier sense signal (BCRS) that 
is carried to the transfer logic 40 by the signal line 48f . 

In operation, an in-comIng message packet Is first 
transmitted by an end node on the media segment S, 
received by the receivers of driver/receiver circuits (not 
shown) of the port, and transferred to the transfer logic 
40 - in conventional fashion. At the same time, the I- 
VNID assigned the receiving port 42 Is associated with 
the Incoming message packet by transferring the Infor- 
mation content of registers 60, 62 to the transfer logic 
40 (Fig. 3) via the lines 48a of the bus lines 48. Accord- 
ingly, the control logic 72 switches the MUX 70 to first 
selectively communicate (serially) the information con- 
tained in the register 60, and then the workgroup infor- 
mation of register 62, onto the bus portion 48a. Thus, 
the incoming message packet on signal line 48e, and 
that port's VN and workgroup information (making up 
the part's 1 -VNID) are communicated to the transfer log- 
ic 40 for communication to the backbone bus 20, and to 
the ports 42, depending upon (1) the destination of the 
message packet as Identified by the destination address 
field contained In the frame, and (2) the make-up of the 
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connective device Ci (i.e., whether it is a repeater, rout- 
er, or bridge). Wherever the received nnessage packet 
goes, it will be accompanied by the l-VNID Infornnation. 
It the message packet is transmitted onto the sub-bus 
20a, the associated l-VNID information will accompany 
the message packet on the sub-bus 20b. 

Outgoing message packets to the media segment 
S are handled by port logic module 42 in the following 
manner. Before a message packet is communicated to 
a port logic module 42 by the transfer logic 40, the as- 
sociated l-VNID is transferred via bus portion 48c and 
applied to one input of the compare logic 76. The control 
logic is alerted to impending receipt of a message pack- 
el by assertion of a BRTS signal on the bus portion 46b. 
Control logic will first select the content of register 64 for 
application to compare logic 76, via the MUX 74. The 
result of the comparison is passed to control logic 72. 
The compare logic then switches the MUX 74 to select 
the content of the register 66. Whereas the associated 
virtual network portion of the l-VNID of the message 
packet had to match the content of the register 64 ex- 
actly, not so the comparison of the content of the register 
66: a single bit match is sufficient. (It is also possible to 
disable checking of either or both the VN and work- 
groups.) However, if either comparison is unsuccessful, 
the message packet will not be communicated on the 
media segment S via driver circuits (not shown). Rather, 
the control logic 72 will operate the MUX 80 to select, in 
place of the message packet, the output of the JAM gen- 
erator to transmit instead a meaningless pattern of some 
sort, or encryption, of the message packet or the quies- 
cent state. The JAM signal will be transmitted as per the 
CSMA/CD protocol used in the case of a repeater 

While a full and complete description of the inven- 
tion has been provided in the context of a specific im- 
plementation, It will be obvious to those skilled in this art 
that changes and modification can be made. For exam- 
ple, the l-VNID and OVNID information need not be lim- 
ited to a 5-bit quantity for identifying a virtual network, 
or a 24-bit workgroup identification. Rather, other field 
sizes can be used to accommodate the particular em- 
ployment of the convention. Similarly, the l-VNID infor- 
matiori need not be carried on a separate signal line but 
can be multiplexed with another signal onto a single sig- 
nal line. Also, the l-VNID and O-VNID could be con- 
strained to have the same value within each port, allow- 
ing use of a single resist instead of two. 

Also, while the invention has been described in the 
context of the IEEE 302.3 standard, it can easily be em- 
ployed in other protocols such as asynchronous trans- 
mission mode (ATM), token ring, or FDDI, to name a few. 



Claims 

1. A connectivo device for incorporation into a data 
communications network consisting of a plurality of 
such devices, comprising a plurality of message da- 



ta receiving/transmitting ports for communicating 
with one or more of a plurality of data communicat- 
ing devices characterized in that first circuit means 
(42) associated with each of said ports assign iden- 

5 tifying data (I -VNI D) associated with each port to in- 
coming message data received from one or more 
said data communicating devices (Nj) and forward 
said identifying data with said message data and 
second circuit means (42) at each of said ports for 

10 stores qualifying data (O-VNID) associated there- 
with, said second circuit means comparing identify- 
ing data (l-VNID) associated with outgoing mes- 
sage data with stored qualifying data (O-VNID) and 
transmitting the outgoing message data unaltered 

is only if a match is found between said identifying da- 
ta and said stored qualifying data. 

2. A connective device as claimed in claim 1 , charac- 
terized in that said second circuit means (42) sub- 

20 stitutes alternate data for said outgoing message 
data prior to transmission in the event of a mismatch 
between said identifying data and said stored data 

3. A connective device as claimed in claim 1 , charac- 
25 terized in that said alternate data is a meaningless 

bit pattern. 

4. A connective device as claimed in claim 1 . charac- 
terized in that said second circuit means (42) dis- 

30 cards said message data in the event of a mismatch 
between said identifying data and said stored qual- 
ifying data. 

5. A connective device as claimed in any one of claim- 
3S si to 4, characterized In that said first circuit means 

(42) comprises first register means (60. 62) for stor- 
ing said identifying data to be assigned to incoming 
message data; and said second circuit means com- 
prises second register means (64, 66) for storing for 
40 said qualifying data, and a comparator (76) for com- 
paring the identifying data associated with the out- 
going message data with the qualifying data stored 
in said second register means. 

45 6. A connective device as claimed in claims 5, char- 
acterized in that it further comprises a microproces- 
sor (47) for updating said first register means (60, 
62) in response to signals received from a network 
manager (N^). 

so 

7. A connective device as claimed in claim 5 or 6, char- 
acterized in that said first and second register 
means (60, 62; 64, 66) each comprises a first reg- 
ister (60, 64) for storing a virtual network identifier 
55 and a second register (62, 66) for storing a work- 
group identifierto permit controlled access between 
virtual networks identified by said virtual network 
identifier, and workgroups within individual virtual 
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networks identified by said workgroup identifier. 

8. A connective device as claim in any one of claims 
1 to 7. characterized in that it further comprises a 
network interface (48) consisting of separate lines 5 
for said message data and said identifying data as- 
signed thereto. 

9. A data communications network characterized in 
that comprises a plurality of interconnected connec- io 
tive devices as claimed in any one of claims 1 to 8, 
said network being divided into a plurality of virtual 
networks by suitable association of said identifying 
data and said qualifying data with the various ports 

of said connective devices. 



1 0. A data communications network as claimed in claim 
9, characterized in that said connective devices (Ci) 
are connected together over a backbone bus (20a, 
20b). 20 

11 . A method of operating a data communications net- 
work comprising a plurality of connective devices, 
each having a plurality of message data receiving/ 
transmitting ports for communicating with one or 2S 
more of a plurality of data communicating devices, 
said method being characterized in that incoming 
message data at a receiving port are assigned iden- 
tifying data associated with the receiving port, said 
message data are forwarded to a transmitting port 30 
of the same or another connective device along with 
said identifying data, and said outgoing message 
data are transmitted unaltered only if the identifying 
data associated with said outgoing message data 
matches qualifying data stored at the transmitting 35 
port. 

12. A method as claimed in claim 11, characterized in 
that said identifying data and said qualifying data 
comprise a virtual network identifier part and a 
workgroup identifier part to permit said network to 
be divided into a plurality of virtual networks and a 
plurality of workgroups within individual virtual net- 
works. 

45 

13. A method as claimed in claim 12 or 13, character- 
ized in that said message data and said identifying 
data associated therewith are transmitted on sepa- 
rate sub-buses. 

so 

14. A method as claimed in any one of claims 1 to 14, 
characterized in that the connective devices are se- 
lected from the group consisting of routers, badges, 
and repeaters. 
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